Skip to main content

tv   Former CIA and NSA Director Michael  CSPAN  August 10, 2013 11:30am-12:21pm EDT

11:30 am
davis ineend -- wendy texas as well at her filibuster as a texas -- of a texas abortion bill. >> many of you heard my name for the first time last month when, as allison said, in the last hours of the texas legislative session, the partisans and power attempted to pass not just an abortion bill, but a bill that would block health care access to tens of thousands of women across the state of texas. in the process, these partisan lawmakers were seeking to rob texas women of their voice. because when women showed up at to testify, and they showed up by the thousands, many of them were turned away. and they were unable to give voice to an issue that had a very real impact on their lives. before i took the floor that
11:31 am
morning for the longest 13 hours of my life, i worked with my staff to track down testimony that had been submitted in the committee hearings that had not been read. during the next hours, i read every single one of their stories out loud. with aere real people very, very personal stories to tell. many of whom had never, ever given voice to their story before. to another human being. worried, my staff was that i was reading them a little too fast because 13 hours, as you can imagine, is a long time to fill. but amazingly, throughout the day as word spread through the what wasbout happening, our e-mail started withng up -- filling up stories that were coming in from women and men all over the state of texas. in fact, by the time that it was
11:32 am
over, we had received over 16,000 personal stories. hungeringple who were to be heard. i have to tell you at some point during the day, i stopped worrying about earning afford -- about running out of time or running out of stories, i started worrying about running out of time did when i stood up at my desk that day, i had no doubt that filibustering the bill was the right thing to do. but i had no idea that it would trigger such an overwhelmingly positive response around the country. across the state and of course across the country, there was an outpouring of support from texas women. thinge most remarkable about it is that stories that otherwise never would have been told were suddenly national news. heard ins that we support of my filibuster that night are not the ones that we
11:33 am
normally hear amplified across the state of texas. and i think a lot of people who live outside our state are surprised that the even exist. but texans know that the voices in our state that shop the indest have not often been one that speak for everyone. that night, the nation was introduced to a force within our that is going to have a lot to say about the shape that the future of texas takes, the shape that america takes. entireill show the segment with wendy davis, texas state senator, tonight at 8:35 p.m. eastern here on c-span.
11:34 am
>> mayor and council chairman vincent gray face each other in one of the most contentious and expensive elections in bc recent century. -- in d.c. recent history. vincent gray won the public over as an affable and effective chairman. shortly after gray took office in 2011, brown, who had also run for mayor, told the "washington post" that he was paid and offered a job in exchange for disparaging information during the election. federal investigators soon discover that much of brown for the story was true. they also uncovered david even bigger secret -- the shadow campaign. basically you had a campaign that was going on, the regular campaign easy, and then you had another set of folks who were in an office right next to the great campaign.
11:35 am
during the campaign, there is so much going on i'm a unit several workers actually complaining, several official workers complaining about the other workers because they felt that they were getting paid more, and there was a lot of confusion as to who was paying them, etc. it was not until a year later that folks started putting things together when federal investigators began asking questions, and they realize wait a minute, the folks who were next door, we cannot find any record of them in the canon -- the campaign-finance records that we see. so how did those folks get paid, and who was in charge of them? >> nikita stewart looks aggression in -- looks at corruption in d.c. politics. >> the former director of the cia and nsa michael hayden talked about the electric grid and protecting it from cyber attacks. he talks for about 50 minutes.
11:36 am
>> good morning. if everybody would take a seat. i amnt to welcome everyone. joe krueger, director of environment at epc. -- bpc.for those who don't know us, bpc was founded in 2007 by four senate majority leaders. we like to say we are bipartisan, not nonpartisan. we work with people who are strongly partisan of various parties, but who believe with good and rigorous analysis, negotiation, and respectful dialogue, you can actually come to agreement on policy issues.
11:37 am
it sounds crazy, right? but it is what we do. i think it is needed now more than ever. cybersecurity really is a type of issue that can and should be bipartisan. we will hear from our keynote speaker in a minute that the threats are real, and we will hear that from a lot of the speakers today, and the potential economic and human cost of a successful cyber attack are potentially huge. so this workshop today is to sort of look at, are we ready for this? what is going on within the government and private sector? what still needs to happen? it is part of a broader initiative at bpc on cybersecurity, a joint between home and security and cyber security. our goal is to develop recommendations for how multiple and sometimes overlapping agencies plus private companies
11:38 am
can protect north american grid from potential cyber attacks. our frame we are using is not a really technical necessarily what should each specific company do to protect their operations, but the frame is governments. how to get organized to address these threats. things like, who is responsible for preventing attacks? what is the role of government? and by government i mean federal, state, and local government. there are some standards already with the electric grid. are more standards needed? are there other approaches that would be more effective? those are the kind of issues we are grappling with. how do we share intelligence between private sector and the government? and how do we ensure there are appropriate privacy protections while we do that? if there is an attack, how do we limit that and how do we respond to that? how do we respond so we are prepared for that?
11:39 am
our overall initiative on cybersecurity is chaired by general hayden, cochaired by general hayden whom we will hear from in a moment, and were also working with a good group of experts on cybersecurity and we expect to release a report with some recommendations for policymakers in the fall, so stay tuned for that. i am going to stop there. thank you for coming. thank our partners for helping us with this workshop. one housekeeping thing, the end of each session, we will have time for questions and there are microphone stands set around the room. we ask people to come up and introduce yourself before you ask your question. with that, let me introduce my colleague, carrie lamack, who is the director of bpc's homeland
11:40 am
security program and she will introduce our keynote speaker. thank you. >> good morning. i know you didn't all come here to listen to me, so i will make this short and sweet. i'm the director of the homeland security project at the bipartisan policy center. for those not familiar, it is chaired by former governor tom kane and former congressman lee hamilton. they were cochairs of the 9/11 commission. they have come together with a group of 14 other experts to do their part to make sure our country is keeping vigilant and remaining ready to sort any threat we face. cybersecurity is something a lot of people are talking about, but not a heck of a lot is known on what to do about it. that is why we're so thrilled to be working with the energy team at the bpc on this very important electric grid cybersecurity initiative. today we have general hayden to speak to us this morning.
11:41 am
he is the cochair of this initiative. general hayden is a renowned expert on the issue of cybersecurity. he was the director of the cia and nsa, now a principal at the chertoff group. he is going to spend a few minutes talking about the threat as he sees it and then we will open it up to q&a. we will be happy to hear your thoughts in his answers. general hayden. [applause] >> good morning. thanks for the chance to chat with you today. i will try to limit my transmission up here to about 20 minutes or so and then leave about 15 minutes for any
11:42 am
questions or comments that you might have. as i already suggested, my purpose here is what my army buddies used to call the big can the little map. i get to do the strategic overview. what you have following me are people far more expert than i in the specific definitions of the problem and specific responses to the problems that i think we're all going to identify here today. folks in government, folks in industry, federal government, state and local government, think tanks. perhaps begin to map out a way ahead that we certainly want to see reflected in our final report. let me begin. big hand, little map, broad concepts. as the day goes down, we will get into specifics. this cyber thing is pretty important and i think it is here to stay. we kind of messed it up.
11:43 am
i actually did that at a black hat conference about four summers ago in las vegas. i'm in the ballroom of caesar's palace with 3000 reformed or semi-reformed hackers, kind of leaned into the darkness out there with the bright lights on me and said, look, as an american g.i., i view cyber as a domain-- land, sea, air, space, cyber. i know who did these four and frankly, i think you did a reasonably good job and i think i know who did this one, and that is you -- and i leaned into the darkness and said, and i really think you messed it up. thankfully, no one said, get a rope. the response was kind of mild giggles. and we moved on. but we did kind of screw it up. look back at the history of this thing. we are lucky enough to have the people who created this still among us.
11:44 am
vince serf comes to my class to talk to students, been out there at stanford and starting to plug things in and respond to the statement of work from arpa, you me something that connects a number of labs and universities so i can move information quickly and easily. keep in mind what that statement of work was. quickly, easily, limited number of notes, all over my trust. that remains the architecture today and the world wide web. that is why we are in the position we are in. it wasn't built to be protected. it made no more sense to build defenses into that original concept than it would be for you and i to put a locked door to join our kitchen and dining room. i mean, the whole architecture of the house designed to get food from the kitchen to the dining room while it is still
11:45 am
warm, why in god's name would you put a lock door between the two? that is kind of what we built here. it is an unlimited number of nodes, most of which i don't know, and a whole lot don't deserve to be trusted. as clear as i can put it, statement of the problem. let me go down one layer and talk about cyber sins and sinners since i've already suggested it is a pretty tough neighborhood. three layers of sins. first layer, just dealing with stuff. former defense secretary, bill lynn, pointed out almost all the things that we fret about on the web is in the range of stealing your stuff. it is cyber espionage, criminality, personal identifiable information, your pin number, credit card number. they are stealing your stuff. the second layer, and you will
11:46 am
get the tone of this commentary in a moment that this is getting worse, the second is not just stealing your stuff, it is disrupting your network. estonia 2007, remember patriotic russian hackers crashing the estonian internet system because they were mad they were moving the memorial out to the suburbs? same patriotic russian hackers in 2008, invasion of georgia, brings the georgian net to its knees. more current, more problematic, more personal for you and me, chamoun virus, 35,000 hard drives wiped clean. pick your enterprise. imagine yourself going back to
11:47 am
wherever you work and imagine 35,000 hard drives being wiped clean. you get the picture. frankly, although our government has not announced yet, i think you and i know it is the iranians. apparently, the iranians somehow feel offended and the cyber domain -- the iranians somehow feel offended in the cyber domain. serial attacks against bank of america, wells fargo, jpmorgan chase and the list goes on. i spoke to a security office and says under normal day, they get hit 15,000 times. they're getting 3 million hits a minute at the height of the iranian attacks. a lot more disruption. stealing your stuff, disrupting your network, and finally, using this domain up here to create affects not confined to my
11:48 am
thumb, but effects down here. the most rheumatic is stuxnet. stuxnet almost certainly conducted by a nationstate because it is too complicated to be done in your garage or basement. but given my background, former director of cia and nsa, blowing a thousand centrifuges -- i will describe what i just described to you in slightly different words. someone almost certainly a nationstate just used the cyber weapon to destroy another nation's critical infrastructure. ouch. that is a big deal. you may or may not have seen me on "60 minutes" about a year ago in which i characterized that as someone crossing the rubicon. lives are going to be very different. those are the sins. who are the sinners? nationstates. you know that. criminal elements.
11:49 am
the third group that i have trouble defining --anarchists, activists, anonymous, will sec, 20 somethings that have not talked to the opposite sex in five or six years. [laughter] blessedly, the capacity to do harm is pretty much the way i laid out the taxonomy. governments are by far most confident. criminal gangs are the next layer. then you have this group down here. as bad as governments could be, sooner or later they can be held to account. you have got criminal elements, and they can be pretty dangerous and they are kind of guns for hire, but fundamentally, criminals want to make money. they enter into a symbiotic relation with whatever their target is. and it is a strange creature, a strange parasite in nature who enters into a symbiotic
11:50 am
relationship with a host they want to kill or destroy. so i think even criminals are somewhat limited. what worries me is this game down here. right now they are least capable, but you know better than i, the tide is coming in on all the boats in the harbor are coming up. so this group is beginning to acquire capacities for maybe a year or two or three ago we equated only with some of the more confident, more capable groups. as time goes on, we're going to see this group down here whose demands are actually hard to define, whose demands may be unsatisfied able, beginning to acquire the capacities that we now associate with nationstates. let me drill this down to something specific. if and when our government grabs edward snowden and brings him back to the united states for trial, what does this group do?
11:51 am
well, they may want to come after the u.s. government that, but frankly, it is about the hardest target in the united states if they cannot create great harm, then who are they going after? who for them are the world trade centers? the world trade centers as they were for al qaeda? so i guess what i'm suggesting is, it is going to get worse before it gets better. i mentioned it being very hard up here. the me give you a couple of reasons why it is really hard for us to defend ourselves. let me put you through a dod double and talk about intelligence and operations for a moment, but bear with me, i think there is a relevant point. down here in these domains where, frankly, i conducted intelligence for most of my career, intelligence is what you do before the operation.
11:52 am
you got to know your enemy before you conduct an operation against your enemy. so it is sequential. intel first, operation is next. i also suggest to you as hard as intelligence was sometimes, intelligence almost always -- pretty close to universal rule intelligence gathering almost always was easier than the actual operation you are going to try to perform eventually. for example from the cold war, you got the soviet union and the missiles out there, threaten the united states. finding those missiles was kind of hard. deal with those missiles, much more difficult prospect, proposition. that is physical domain.
11:53 am
now up here to my thumb. reconnaissance appear still happens before operations. you got to know the target before your operating against the target. but unlike the physical domain, the reconnaissance is harder. it is more difficult to penetrate and network, live on and undetected, extract what you need from that network from a long period of time, and continue to operate on it is far more difficult to do then figuratively or metaphorically taken the front door and something. in other words come up here, the attack, the disrupt or destroy thing, the attack is a lesser included case of reconnaissance. if i can live on your network undetected for intelligence purposes, i have already established far more than enough
11:54 am
control to use your network for disruption or destructive purposes. do you see the parallel i'm trying to draw here? that is why president obama in this year's state of the union when he kind of makes a cyber point about midway through the speech talked about enemies on our networks. enemies on our grid. and why that is so disturbing. if they're on there and undetected, they already have -- whatever their intent, whatever they intend, they already have the capacity to do harm. without question, the country is skewing our stuff the most is china. there is evidence if you read the white paper put out several months back about the chinese, there is evidence they are out there penetrating.
11:55 am
frankly, i find it hard to imagine circumstances where china would want to do something incredibly destructive to any american network, the grid, absent a far more problematic international environment in which the cyber attack is itself part of a larger package of really, really bad things. bear with me for a moment. i mentioned iran a few moments ago. what would prompt iran, second- rate power overall but a very bright nation with technically competent people, what would prompt iran to try to inflict economic pain, economic damage on the united states? sanctions? sanctions with no hope of relief?
11:56 am
what we used to call limited connecticut action against iranian nuclear facilities? look, these are all fanciful scenarios and i'm not trying to be predictive up here, i'm just trying to be illustrative. it gets worse before it gets better. ok, how do we make it better? ok get the idea a lot of this is heading south. what are things we can do to stop it from heading south? what are steps we can take is a prudent people? it is much harder for us to defend ourselves up here. i already talked about the geography. we created it incorrectly. we didn't build any routines come oceans, so defense is very
11:57 am
hard. but it is hard for another reason. it is hard for philosophical reasons. let me offer the view. i am being 10% provocative and maybe 90% accurate. the united states will forever have one of the least well- defended networks on this planet because of james madison and alexander hamilton and all those other good folks who wrote the federalist papers. we as a people have not yet created a consensus as to what it is we want our government to do up here or what it is we will let our government do up here. i left my iphone down there in
11:58 am
the portfolio. usually i pulled out my iphone and say, give me another 15 minutes and i will convince you this as a gateway to conflict and you will all be scared of your iphone or blackberry. i usually get the response from the audience, yeah, he's right, this is dangerous. i'm upgrading my phone after two years. i'm in the apple store in northern virginia. you know, the young kid comes up, he sells me an iphone. he is telling me the features. he points to the iphone and pulls up the page and says, apps. 400,000 apps available. then he turns to do something else and i turned to my wife and says, this kid does not know who who i am, does he? those are 400,000 attack vectors.
11:59 am
i generally can convince an audience -- americans say, ok, where is my government? i pay taxes. why isn't the government defending me? i finish my speech, polite applause, and then they reach into their pocket and pull out their iphones and blackberries and what did they do? check e-mail. the zone of conflict -- they are saying, where's my government? now it is personal communications. let me tell you a thought that has not naturally occurred to americans when they are checking their personal communications. gee, i wish my government were here. [laughter] and so, we have that tension. mike rogers, in the news about a lot of recent things. before all of the recent stuff
12:00 pm
blew up, they got a bipartisan bill passed through the house of representatives. frankly, a tremendous step forward but on balance a very modest bill about information sharing. ok? that thing is dead in the water. this congress is not going to act, moving the cyber ball much down the field. a lot of that has to do with what has been in the news for the last seven or eight weeks, and that is edward snowden. frankly, the greatest concentration of cyber power on this planet is a $45 cab ride i'm here up the bw parkway at the intersection of the baltimore-washington parkway in maryland route 32. keith alexander has world-class athletes not on the field, but not on the bench. they have not suited up because you and i have not figured out what it is we want our government to do or what it is we will let our government do.
12:01 pm
this whole snowden saying, raising the specter of an overly aggressive government and government overreach and so on is going to freeze this. so, those of you in private industry, i guess the point i really want to make to you, the next sound you hear will not be a you goal and the sound of pounding hooves as the federal calgary comes over to your cyber rescue. to the degree you have never expect that it down here in the physical domains, you're responsible for your safety appear a lot more personally, corporately, then you are down here. by the way, the snowden thing also seemed to have cleared another, i think, useful approach with regard to dealing with this domain and its inherent dangers. and that is international cooperation to create global cyber norms.
12:02 pm
his release of alleged nsa hacking of chinese computers was time to precisely a few days before our president met with the chinese president where they were going to begin an honest dialogue about appropriate cyber behavior, and that, of course, turned into mutual recriminations as snowden's allegations allow the chinese to pretend there was actually an equivalency between american and chinese cyber behavior. so, industry is going to have to do a lot more up here than they are accustomed to doing down here. the government is going to be hermit lead late believe. by the way, you are going to have government speakers up here. i hope it does not offend them. i was government for 39 years and i tried my best. but i know culturally, politically, philosophy, we will be late to lead. the good thing is industry understand that a great deal. i have been out of government for almost five years and i have
12:03 pm
seen the migration of industries appreciation of the problem. when i started working with the chertoff group after i left government we got to talk to ceo's because they want to talk to us. government as client. government as provider -- i am sorry, the private sector as client has seized the issue and government as provider is also doing some incredibly interesting things. there is just a tremendous intellectual ferment out there in terms of reducing vulnerability, managing consequences, or precisely identifying the kinds of threats that you and your industry should be worried about.
12:04 pm
let me give special credit to two industries that i think are really seized to this issue. one is financial services and the other is the electric industry. they are very different but they do enjoy one thing in common. if something goes bad, you are going to notice that in both of those industries. so, they know they are on thex, as we used to say up at langley, and both of them are working very hard to do the kind of things i suggested they are going to have to do up here to be safer and more secure. the industries are different. there's a lot less personal identifiable information sloshing around in the electric problem than there is in the financial services problem. so, i would suggest to you that the electric industry, in addition to being seized to the issue, understanding how lucrative a target they are and understanding the vulnerabilities others might try to exploit, in addition to all
12:05 pm
that, the electric industry might actually be the trail breaker here. the electrical industry might actually have the opportunity because they have a few less of the problem sets that financial services might have. they may be able to establish residence up here in this new domain that not only, a, helps the industry better defend itself but, b, break trail, as i said, for the kinds of relationships we are all going to have to develop over time between the private industry and government. that is kind of the topic we have here for today. how is the electric industry going to scope the problem? what are the avenues by which they can move forward? the point i simply wanted to make at the end is other industries are going to go to school on what is industry does.
12:06 pm
that actually is a pretty attractive proposition. with that, i used that might a lot of time. i know carie said there will be questions and there are some microphones there. i am happy to take whatever you might have. are you going to moderate? [applause] >> i think we will open it up right here. if you could introduce yourself and your affiliation. >> spencer ackerman with "the guardian," you suggested in the event of apprehending edward snowden, there might be cyber terrorism as a private. could you tell me who you anticipate would pull off the attacks, where on the level of the three scales the outline they might occur and what evidence do you have that causes you to say something like that? >> spencer, you heard me say i was being entirely speculative and not predicted. just find it illustrate there are a group of people who make demand, and the demand might not be satisfiable and not the kind of thing the government cannot accommodate. but certainly mr. snowden has created quite a stir among those
12:07 pm
folks who are very committed to global transparency and the global web kind of ungoverned and free. and i don't know there is a logic between trying to punish america or american institutions or his arrest, but i hold open the possibility. i could sit here and imagine circumstances and scenarios, but they are nothing more than imagining. >> you don't think it would be, for instance, a foreign intelligence service who would pull up some kind of thing but you think a transparency group? what what that level of attack or capability you think look like? >> again, spencer, i said there are three levels of attacks. this one down here worries me the most. blessedly they are currently the least capable but they become
12:08 pm
more capable each day. i can't precisely predict where one or another element of the group -- which you know is very dispersed -- might have skills, what vulnerabilities they may have detected and how much of a massive effort they could put together on short notice. i know nothing of that. i do know wikileaks stage one, they distributed denial of service attacks against american credit card companies and paypal and so on, and theoretical punishment for the steps they took. just suggesting it is possible he could happen again. >> right over here. >> my name is chris -- i found your comment interesting about how government and private sector getting bombarded every day with a cyber attacks. it is fair to assume one of the potential ways to combat those are reduction in the nature of communication electronically?
12:09 pm
god forbid, we use patterned paper and telephone. is that a trend? is it fair to assume governments and private sector would be looking at dummy information across networks. if they know they are being attacked, i assume you could create dummy data to send people down rabbit holes. might those be a couple of ways to start to combat this? >> yes, obviously. to make it less lucrative, more problematic. to keep the less talented from stealing, for example. those who are less sophisticated. one idea i have heard. if i said a whole lot about this i would be truly making it up. for my liberal arts background. people talk about dot secure, kind of an additional network -- taking a mulligan, getting a do over. it does not mean undoing what we have. keeping what we have for everybody who wants to violate their own privacy and post things on facebook and so one, and they enjoy the freedom. but create another, more secure environment over here that is less ubiquitous, let easy to use, requires multiple factor
12:10 pm
authentication. it is not nearly as fast. has a high degree of latency built in. it is really hard to take your money. i am a history major. i do not reason by technology but a reason by example. i have been to london. went to london 30 years ago. anybody been to so well in london one he or 30 years ago? a bit cleaned up now. but soho back then -- theater, art, dance, freedom, liberty, license and the drugs, prostitution, petty theft, ok? that's kind of over here. where'd you get the maximum liberty and the maximum danger. other neighborhoods in london were incredibly boring. in fact, most of the houses had fences around them. i don't think they are nearly as interesting as soho, but then again, there was not much petty theft there, either. there may be a future in which we begin to build an alternative
12:11 pm
universe that actually is, has security cook them from the beginning rather than trying to apply here. >> general hayden, you have been very interesting this morning -- you said you only 10% - a friendly audience, it may be true. somewhere else, it would be see because it are 90% provocative. you raise the snowden, and you said apprehension, and of course the russian and chinese would consider a kidnapping. let's say you mentioned even iran. i am sure you remember the united states and israel together hacked the iranian nuclear facilities first before they started attacking financial and so one.
12:12 pm
given that, this provocative speech you are getting here, is it meant to promote the united states government to give more contracts to you? >> first of all, the chertoff group is not a government contractor. we had our fill of government. there were some questions in there. hang on. there are two countries on earth that have a cyber demand -- to my knowledge that one is republic of korea and the other is united states of america. by the way, i mentioned bill lynn's article -- deputy secretary of defense, "foreign affairs," two or three years ago. the most important line in the article was under the title. deputy secretary of defense. in other words, the seminal
12:13 pm
american article on cyber thinking was not written by the deputy attorney general, not by the deputy secretary of commerce, not by the office of science policy in the white house, not by the u.s. trade representative, but the deputy secretary of defense. i am catholic by tradition -- bless me father, i have sinned, because i was part of it. we could be accused of nudging the militarization of cyberspace in that direction by the way we talked about it as a nation and by the way we have organized ourselves as a nation. bill lind's article talks about cyberspace the way i talk about the airspace as an air man. air dominance, cyber dominance. using domain for your purposes. and i use to others upon command. that is how we talk about it. so, i get it. ok?
12:14 pm
i have no views on who may or may not have conducted the attack against -- with the stocks met -- with the virus, but my view is, it was a big deal. what i said is i understand the difference in destruction is dramatic but this has the whiff of august of 1945. somebody just used a new weapon. and this weapon will not be put back into the box. i get all of that. but you were probably were provoked, common of snowden suggesting equivalency between american and chinese cyber behavior. up there where you steal stuff, let me go on record. we steal stuff. we are really good at it. as director of the national security agency, i used to view that we were number one when it came to stealing stuff in the cyber domain. but we steal stuff to keep you free, we steal stuff to keep you safe. we do not steal stuff to make you rich.
12:15 pm
that is a big discriminator between ourselves and a whole bunch of other nationstate actors out there. tom? >> hi, general hayden. from npr. you seem to be pretty confident about the ability of the private sector in the electric industry to safeguard assets. but in the private industry, executives have to make cost calculations. they have to weigh the costs of the mitigation measure against a threat or against a risk. the kinds of incidents you are talking about are, i would say, probably low probability but high impact. the combination you are familiar with from the intelligence world. are you comfortable with private industry facing low probability of incidents that would have a high impact are going to make the same cost calculations, expense calculations that a government agency would make?
12:16 pm
>> tom, that was a great question. let me make it even tougher. very often, even in the event of the low probability-high impact attack, the cost to the industry is infinitely less than the cost of the surrounding society. i live in northern virginia. two summers ago, the violent storm derecho came through and cost dominion power a lot. what it cost a dominion power nowhere came close to what it cause northern virginia. in addition to the low probability, you've also got the fact that your cost may be more confined than the cost to the overall society. all true. therefore, what you need to do number one, it is really hard to build a business case for this. it really is. and so, it is more of a broader responsibility case that has to be made in terms of good corporate citizenship in addition to the narrow business case.
12:17 pm
one experimental idea, tom -- and it is not quite tied to what you're suggesting -- is the whole concept of cyber insurance. which then spreads of both the costs of defense and the cost of catastrophe over a wider audience. i don't know what cyber insurance looks like quite. i don't know the equivalent of collision, comprehensive, and personal interest -- injury. but i could imagine cyber insurance for -- i lost my stuff, i lost my network. my network was used to harm somebody else. or i've got a big class action suit because all of that personal information is out there. there may be ways to create that structure of insurance, and then within the insurance -- i kind of check the shingles on my house now before i buy it because the insurance is different depending on what kind of shingles i have or if i am closer -- you understand.
12:18 pm
there may be ways that we collectively spread the burden over the society that the government fosters mechanisms by which these natural forces take shape and affect rather than the guy with a whistle and the clipboard kind of coming through your industry and checking things off. sorry, great question. and we've got a lot of work to do. but i think there are ways. >> i think we have time for one more question? >> yes, thank you him a general, for your comments. kerry gerrit, state utilities commissioner for new jersey. you mentioned in your talk about progress in rogers' house bill which stressed information sharing. my question is, how important do you think it is for the federal government to share information about threats with the utility sector? and do you think the federal government is doing a good job in that area of developing relationships with the electric
12:19 pm
sector in sharing information about threats that the electric industry can take into account and respond to? >> when i talk to anyone in government, they tell me they are doing a really good job. [laughter] now in the private sector, however, when i talk to other folks, it is not quite the glowing review. let me take your question and describe a dynamic and problem inside government. i would director of nsa for six years. an essay is very famous for its offense is quite -- nsa is very famous for its offense in squad. going in stealing stuff. about a fifth of the agency is defense. it also has the responsibility of protecting government secrets in the united states. not every country in the world has organized its intelligence center that way, to put the offense and defense in the same organization.
12:20 pm
we have done it that way. i think we have done it well and correctly. we have done it that way because offense and defense rotated around the same concept. that concept is vulnerability. if you mastered the vulnerability you can play offense, if you master the vulnerability you can play defense. and the life of nsa -- let's go pre-cyber. in the life of nsa, you always had a trade-off between the two squads. when you discover a vulnerability, do you want to exploit it to play offense or do you want to fix it to play defense? back in the pre-cyber world we had a pretty well-worn road as to where the line is. i am willing to enter into a debate that that line might not be in the wrong place. that the old approach to it, the old calculation -- i want to keep that vulnerability because


disc Borrow a DVD of this show
info Stream Only

Uploaded by TV Archive on